Allow opt-in for placing webcalendar within iframe

[Tharrington86]

I just upgraded to version 1.9.1 and I can no longer deploy the calendar across our network embedded into an iframe.

Console error is as follows: Refused to frame 'My URL' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

Is this intended behavior? I need the ability to embed the calendar via iframe on our company intranet site.

[craigk5n]

Yes, this is an intended behavior for security reasons. I'll change the title of this to opting in to allow this.

[Tharrington86]

That would be a great option to include, especially for us legacy users that are embedding the calendars in other webpages.

I am unfamiliar with php but if you could point me in the right direction, I will see what I can come up with.

[craigk5n]

Version 1.9.8 now has an option in Admin Setting under "Site security" where you can set the CSP value to allow use of iframes.

[Tharrington86]

I just tried to upgrade to v1.9.8 and everything went smooth except I still cannot get the calendar to display in an iframe. After I ran the installation wizard, I logged in to the calendar via the direct URL and selected to allow any site to iframe and disabled the origin checking. When trying to view the embedded calendar nothing is displayed and the following is displayed in the console: {IntranetURL} blocked a frame with origin {webCalURL} from accessing a cross-origin frame.

Upon regressing to v1.3.0 the iframe properly displays the calendar again.

[craigk5n]

Can you the Chrome developer tools to inspect the HTTP response header? I'm curious if it is sending the correct headers.

[Tharrington86]

[craigk5n]

Forgot about that bit of code... Hopefully latest commit will fix this: 5e5d0e5a70a590f5809530dcbf9735bbdfa9500a

[Tharrington86]

I can confirm that this change does work. I made the modifications and the calendar is now working in an iframe. Thank you!

[craigk5n]

Glad to hear it's working 👍